Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe

  • Size

    375KB

  • MD5

    4c3c21b3ccc6c66715e0a3706c324769

  • SHA1

    2cb4e1fd586bf9d4c51ec3712249039270fce1a8

  • SHA256

    bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff

  • SHA512

    c40be4367c8769f3ea60bf0e64d475272c85125026d46532962dd1844e7c91b438679861db9f588a2f3378b8e11290ca8bf85e3f5270b9a633f239296c42259f

  • SSDEEP

    6144:Sv5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:S4VOiF1WD7kE1dTYOi8V5u23zmWFy4

Score
10/10
gh0stratratupx

Malware Config

Signatures

  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe
    "C:\Users\Admin\AppData\Local\Temp\bf3b39c755777e70411265cb5b4ab6b0a9030b0444cb6d81fdb474870a7facff.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
  • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:376
    • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
      "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
      2⤵
        PID:3904
      • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
        "C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"
        2⤵
          PID:3792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 376 -ip 376
        1⤵
          PID:4376

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          15.9MB

          MD5

          9885584bc24b2ca9b1b5be304df91eb2

          SHA1

          f7ed402df185df63e929f8932d941a07e434987d

          SHA256

          b62e06a57afe1f06e78fcc78232e63a93bbc60eb0826f47b9c6a4ebf0620217b

          SHA512

          d66a3c45a1683c0981791714ed7350742fffeb8cfcfa4847f7751a05283f9d1d179c23155186826ca1454358f13c4220af405d43119e7eef64df7dd47c5f8622

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          14.5MB

          MD5

          4d684f7b7a9ed3f1fcb4cc6d9e111fa8

          SHA1

          f0022450bde02e9319f6ca375b532000ed570594

          SHA256

          33da6389ac63afff45ba9fd802c8bd8fef692c0ba866028fd92ee8296c53153c

          SHA512

          9530a4b23e1aed12d0cd5c2a661e05d7c1bfc24d59b38349952371799c046f32f642874b9e091d77c03e7508972cb346aa23e4528ec4f70ebb6deaf093ce5f93

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          10.5MB

          MD5

          f3d68a8950e2e28db4a29acabd4bcdda

          SHA1

          44adf72df247f2e504f846946af2f35ec6a92e76

          SHA256

          3ddcf6c6743923c2702624665956340acf878c919d0f86111900bca9def06da6

          SHA512

          79bca69324e95e602f5a7db50601c4477057f78e4f531a123860f4a5d50d4f148751f4563783d35f8960c2cb4204f10be20d18028d226f977ef4e8a2800f9379

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          1.2MB

          MD5

          93546a226469359cef90cf8844221bc1

          SHA1

          86b682dcb96b23ee4b600397a2c2f8d986e4b861

          SHA256

          3a0987941bb3d1a4f33e8e1cc9c756a21650e19b3e5135be3d2f5f4bc83626da

          SHA512

          15666e8249acaf9146da11ca1b1babeeba3f709de3e4829c485e4a248616a5061355e569f3cb5ef8065eb3dd466f23d36cc3cc29b8f33ecca2caa99a1506bc60

          Download Submit

        • C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe
          Filesize

          1024KB

          MD5

          0228c07eedfaca989b2a02a4118ca7ed

          SHA1

          20cf3730fa7b56edbb8b2048733dff5758f25af5

          SHA256

          ff691f88ef3ace14ff7f50dc725ef5b8c8896e62ae792249369b15a982b599a8

          SHA512

          8dbea8f39bd85d4979a1cee1ce9efd6dcacd10096f2a1a3bc7fcc1997521a636017b58d5c472260f21810cd8f6b47aa38b4468cfc07ef14b3340455c8e681f82

          Download Submit

        • memory/376-156-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/376-151-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/376-158-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/376-157-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/376-155-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2524-137-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2524-132-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2524-142-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/2524-138-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2524-136-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/2524-135-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4148-150-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4148-152-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download

        • memory/4148-148-0x0000000010000000-0x0000000010362000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4148-159-0x0000000000400000-0x0000000000469000-memory.dmp

          Filesize

          420KB

          Download